QUESTION & ANSWER

Protect yourself: What you need to know about the Sircam worm

By Christine M. Campbell, Assistant News Editor 25 Jul 2001 | SearchSecurity

Digg This!     StumbleUpon     Del.icio.us

Sircam's damage ranges from deleting files and folders to sending your personal files to others. To help you protect systems in your organization, searchSecurity Assistant News Editor Christine M. Campbell spoke with David Hughes, president of U.S. operations for Abington, U.K.-based antivirus software vendor Sophos Inc. Hughes offered tips for avoiding the worm, what the worm can do if it's opened, and what companies can do after the fact to minimize the damage.

What happens when you open this worm?
Hughes: This is a pretty devious character. If the attachment is opened, the worm copies itself into the Windows system directory with the filename Scam32.exe. It also copies itself as a file called Sirc32.exe to the Recycled Files directory with its files attributes set to "Hidden," so that people wouldn't be aware that it's there. It also changes a registry key so that it runs on Windows startup. The worm then uses the registry key to save data used internally by the worm code.

Essentially, if the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with the open share. The worm contains its own SMTP routine, which it uses to send e-mail messages to e-mail addresses found in the Windows address book and the temporary Internet folder.

David Hughes, Sophos President of US Operations

Does the fact that Sircam doesn't rely on Microsoft Outlook make it more dangerous?
Hughes: It adds another dimension. There may have been people who aren't using Outlook, who feel that perhaps they've been less vulnerable. ...In this case, they're indeed as vulnerable as others.

What are some of the consequences of Sircam?
Hughes: I did allude to the fact that it has the capability to scoop up files that are on one's hard drive and then to send them out to names and addresses it finds in various ways. The risk here, of course, is that this could very well be a company's confidential information or sensitive personal information that one would never contemplate sending out to friends or associates.

The second risk is a bit more minimal. There is a one in 20 chance that the worm has been set to attempt to delete all files from the hard drive on Oct. 16. The real threat here, though, is the threat to one's corporate or personal credibility through the forwarding of these documents.

What are the best ways to avoid this worm?
Hughes: We always preach the importance of the antivirus protection triad, if you will. Number one, it's crucially important that customers keep their antivirus software up-to-date...Number two, it's really important that companies practice safe computing practices. And number three, they need to train their people to have a healthy suspicion of unsolicited e-mails and unsolicited attachments in particular. As with most things, it's the combination of technology, people and processes that are key to providing an effective solution.

How do you prevent employees from opening these kinds of attachments?
Hughes: It's very hard, and virus writers have become very adept at coming up with seductive subject lines. ...That was the case with the Anna Kournikova virus, for example, and the case with the so-called "Naked Wife" virus...We always recommend that companies train their employees never to open an unsolicited e-mail...But because so many viruses are spread using one's Outlook address book, often viruses will come from someone that you do know. We advise that people not open attachments that they're not expecting.

Then, they have to be cautious about the name. In the case of the "I Love You" virus, it's unlikely that one's manager would be sending them a love note. People just have to apply some common sense and some forethought before they open everything that's in their inbox.

What can companies do to improve their level of protection against these worms?
Hughes: It's critically important that companies apply the security patches they receive from their vendors. It's amazing to see how many companies have not applied the security patches that Microsoft has issued.

We recommend that people disable Windows scripting for most people who don't need that capability. We also recommend that companies not exchange Word .doc files or Excel .xls files, because both of those formats can carry macro viruses, while .rtf (Rich Text Format) files and .csv files cannot.

Some companies are implementing content filtering software, which is very good. Although, content filtering software might be less likely to work in this case because the subject line is constantly changing with (Sircam). This worm has the capability to scoop up documents that are on one's hard drive, and it takes the subject line that is the same as the name of the file.

What should companies do if a user opens the worm?
Hughes: The first thing they should do is contact their antivirus software vendor. Vendors will typically have software that can be used to decontaminate the user's workstation.

Then, they should take this as yet another wakeup call about the need for user training and the implementation of safe computing practices.

FOR MORE INFORMATION:

searchSecurity has the Best Web Links on common vulnerabilities and protection tips

Has the worm hit your or your users? Tell us about your experience in our searchSecurtiy sound-off forum

Do you need help getting an effective security policy in place in your company? Ask our searchSecurity expert for advice.

Sophos

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary